Xcode projects weaponized to distribute Mac malware

A sneaky strain of malware dubbed XCSSET is doing the rounds via poisoned Xcode projects, mostly affecting Safari and other browsers running on a victim’s Mac.

The unorthodox infection chain has been recently discovered by a team of researchers at Trend Micro. According to their findings, malicious actors are exploiting Xcode projects to host and spread harmful payloads. For those uninitiated, Xcode is an integrated development environment (IDE) for macOS. It embraces a suite of tools for creating applications supported throughout Apple’s software ecosystem. By riddling Xcode projects with a spinoff of the XCSSET Mac malware lineage, cybercriminals can expand the attack surface significantly as the unsuspecting developers share their projects via popular repositories such as GitHub.

This campaign is additionally boosted by two zero-day exploits. One of them hinges on a vulnerability in Data Vault implementation that allows an attacker to bypass macOS defenses against unauthorized access to Safari cookies. This flaw paves the hacker’s way toward stealing cookie-related data without raising any red flags. The other exploit is leveraged to create a booby-trapped development version of Safari that’s susceptible to a number of stealth attacks.

The after-effects of infection

Once the XCSSET payload is executed in a system, it reads Safari cookies and harnesses them to inject backdoors into web pages that the victim visits. This dodgy mechanism is triggered by means of a universal cross-site scripting (UXSS) attack, which turns out to have the following extra implications in this exploitation chain.

• Modifying browser sessions. This form of tampering allows the malware to cause unwanted browser redirects, alter cryptocurrency wallet addresses, gather credit card details tied to Apple Pay, and get hold of the Apple ID password as well as authentication info for Google and PayPal accounts.
• Data theft. The harmful code can surreptitiously obtain sensitive information ranging from Evernote and Notes apps’ content – to communication in popular messengers such as Telegram, WeChat, Skype, and QQ.
• Screen capture capability. This one is self-explanatory: the XCSSET malware can take screenshots at random.
• Data exfiltration. Most of the above shenanigans only make sense to an attacker if the amassed information can be sent out of the Apple device. This infection bridges the gap by establishing a connection with its operator’s C2 server to submit every piece of data it has collected.
• Ransomware component. The threat is equipped with an encryption module and can display a blackmail message instructing the user to contact the attacker for recovery steps using a specified QQ ID.

How big is the issue?

At the time of publication, only a couple of Xcode projects were found to be polluted with XCSSET. This is cold comfort, though. As soon as a malware-laden project is uploaded to the GitHub platform, other developers who use this information for their own coding initiatives will get on the hook as well.

This method underlies what Trend Micro calls a “supply-chain-like” attack that isn’t likely to set off alarm bells. Although this isn’t a massive outbreak at this point, its self-inflation quirk may shape up to be a serious security concern down the line.